Skip to main content

CrowdStrike FDR

Overview

CrowdStrike Falcon Data Replicator (FDR) is a powerful feature of the CrowdStrike Falcon platform designed to collect and replicate telemetry data from endpoints. It provides organizations with detailed visibility into endpoint activities by capturing data such as:

  • Process executions: Records of applications and processes running on the system.
  • File and network activity: Logs of file changes and network connections.
  • Security events: Details of threats detected and actions taken by Falcon.

This data is essential for security monitoring, threat hunting, and incident response.

Prerequisites

Before integrating CrowdStrike with AlphaSOC, ensure you have the following:

  • A CrowdStrike subscription.
  • A CrowdStrike Falcon account that is able to view the API Clients and Keys page and create credentials.

Configuring CrowdStrike FDR for S3 Storage

CrowdStrike FDR can be configured to export its telemetry data to an Amazon S3 bucket for storage and further processing. To integrate CrowdStrike FDR with AlphaSOC, please proceed with the following steps:

Step 1: Configure CrowdStrike Falcon Data Replicator (FDR)

This step is only required for new CrowdStrike FDR implementations. If you already capture and store your telemetry via CrowdStrike FDR, continue with Step 2b for instructions on how to enable AlphaSOC to read from your storage.

Configuring CrowdStrike FDR requires:

  • Enabling CrowdStrike FDR.
  • Generating new FDR credentials in the CrowdStrike Falcon and collecting them.

First, ensure that CrowdStrike Falcon Data Replicator (FDR) is enabled on the CrowdStrike instance by going to the Support > API Client and Keys page in CrowdStrike Falcon. Validate that ‘FDR AWS S3 Credentials and SQS Queue’ is present. If not, you will need to contact CrowdStrike support to enable it before proceeding.

Once FDR is enabled, you can generate new FDR credentials by clicking on the Create new credentials button next to FDR AWS S3 Credentials and SQS Queue. Collect the Secret value and store it in a secure location, as it will only be displayed when the credentials are created. Next, copy the SQS queue URL and Client ID from the table below the 'FDR AWS S3 Credentials and SQS Queue'.

Step 2a: Grant AlphaSOC permission to read from the Amazon SQS queue

AlphaSOC leverages a CrowdStrike provided Amazon SQS queue to access data from a CrowdStrike provided Amazon S3 bucket. For organizations with existing S3 buckets collecting CrowdStrike FDR data, proceed to the next section.

To enable AlphaSOC to read from the SQS queue, provide us with the following information:

  • Client ID: The Amazon Access Key ID for the SQS queue.
  • Secret Access Key: The Amazon Secret Access Key for the SQS queue.
  • SQS Queue URL: The URL of the SQS queue that CrowdStrike uses to send FDR data packages.

Step 2b: Grant AlphaSOC permission to read from the Amazon S3 bucket

For organizations with existing S3 buckets collecting CrowdStrike FDR data, configure the appropriate permissions to allow AlphaSOC access to your stored telemetry.

Setting IAM Role Permissions

Replace the following placeholders with the appropriate AWS resource identifiers in the policies listed below.

  • {{WORKSPACE_ID}} - workspace ID assigned in the AlphaSOC console
  • {{SQS_QUEUE_ARN}} - ARN of your SQS queue
  • {{S3_BUCKET_ARN}} - ARN of your S3 bucket

To obtain the workspace ID, navigate to the Credentials page in the AlphaSOC console. In the Configuration data section at the top of the page, copy the token next to Workspace ID.

console_workspace_id

IAM Trust Policy

Define who can assume an IAM role by setting a trust relationship.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::610660487454:role/data-import"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "{{WORKSPACE_ID}}"
        }
      }
    }
  ]
}

IAM Role Permissions

Define permissions for accessing an Amazon S3 bucket and an Amazon SQS Queue.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "S3",
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "{{S3_BUCKET_ARN}}/*"
    },
    {
      "Sid": "SQS",
      "Effect": "Allow",
      "Action": [
        "SQS:ChangeMessageVisibility",
        "SQS:DeleteMessage",
        "SQS:ReceiveMessage",
        "SQS:GetQueueAttributes"
      ],
      "Resource": "{{SQS_QUEUE_ARN}}"
    }
  ]
}

If AWS KMS encryption is enabled for the Amazon S3 bucket or Amazon SQS queue, define additional permissions to allow access to the encrypted resources. Replace {{AWS_KEY_ARN}} placeholder with the ARN of your AWS KMS key.

{
  "Sid": "KMS",
  "Effect": "Allow",
  "Action": "kms:Decrypt",
  "Resource": "{{AWS_KEY_ARN}}"
}

If your organization uses a storage solution other than Amazon S3 for your CrowdStrike FDR data, AlphaSOC can connect to your existing infrastructure. For configuration guidance with alternative storage platforms, please refer to the Collecting Data section of the AlphaSOC documentation or contact us at support@alphasoc.com.